Archive for August, 2012


Found to infect another site with the Blackhole Exploit, a user reported this issue on the avast! forums. Confirmed with urlQuery and Sucuri, researching the blackhole site: Google says it has infected over 23 sites while Sucuri says it’s been used for redirection.

So, just how many scanners will detect this (Besides urlQuery and Sucuri of course)?

Interesting,
~!Donovan

Advertisements

Today I was searching on Google and guess what I found? A related post to the KaiXin Exploit Kit article. On twitter. Trying to visit directly gives a 404 error, which means that Twitter deleted it. This is when Google’s Cache saves us. :)

The Tweet

The Tweet

Guess what? The Mediafire link still works. :)

However, scanning it on VirusTotal, I get various Trojan Dropper alerts. Check out the results.

KaiXin Exploit Kit.zip Contents

KaiXin Exploit Kit.zip Contents

So its the real deal and KaiXin was finished around 8-4-12. Interesting.
~!Donovan

After you have downloaded the executable payload, whether its shellcode, java, flash, you now have to find more information about it online. Usually if the kind of file is very new, you will not find anything.  However, there might be the occasional blog post or two, so remember to search the files online. Before you jump into searching, there is a specific routine that you must follow..

Use specific searching queries.

  • File Names
  • Hashes (MD5, SHA1, SHA256)
  • Related Websites (Domains, IPs)

If you did not find anything, be the first to analyze it! Check out our list of tools.

From there you have to use the information you found, and the information you researched, to make a summary of the malicious file(s) and what they do. If there are multiple files that act similarly, you should use the keyword variant. For example, MeDoS is planned to use 2 different methods and 5 different obfuscation algorithms. You would classify each as follows..

  • MeDoS[M1-O1]
  • MeDoS[M1-O2]
  • MeDoS[M1-O3]
  • MeDoS[M1-O4]
  • MeDoS[M1-O5]
  • MeDoS[M2-O1]
  • MeDoS[M2-O2]
  • MeDoS[M2-O3]
  • MeDoS[M2-O4]
  • MeDoS[M2-O5]

Once you are finished, report your findings ASAP. Many antiviruses do not detect malware until it is already out and someone is infected.

~!Donovan

List of Tools and Their Use

WEBSITE ANALYSIS

 

Automated Analysis:

Evuln Web Security – XSS & SQL injection tests, iframes, javascript, and search redirects

urlQuery – Domain map, deobfuscated results, site preview, even IDS alerts

Quttera – Friendly UI with detailed reports

Wepawet – Deobfuscated results, network activity, activeX controls, even shellcode

Comodo SiteInspector – Blacklisting, phishing, malicious, suspicious, and download activity

Unmask iFrame – Find all iframes in a given URL

Sucuri SiteCheck – Blacklisting, malware, redirects, outdated software

Zulu zScanner – Host, url, and content checks

Unmask Parasites – Searches for long lines and hidden iframes

 

Website Returns & Responses:

JSunpack – All webpage returns including deobfuscated content

HTML Sniffer – Check the content of a webpage with various requests

Redleg File Viewer – Search URLs for suspicious elements

vURL – Dissect URLs for external links, scripts, and iframes

 

Deobfuscators & Beautifiers:

jsBeautify – Make javascript readable

Unescape Decoder – Decode unescape()

Dean Edwards Unpacker – Decode Dean Edwards’ algorithm

Encode Decode – Deobfuscate Shifted unescape()

Base64 Decoder – Decode Base64

PHP Deobfuscator – Decode common PHP obfuscation functions

 

Blacklists:

CleanMX – Various different queries available with quick-updates

Malware Domain List – A complete list of malicious domains

urlVoid – Check with over 25 different engines

ScanURL – Check with 3 different url scanners

BadMalWeb – Find malicious websites in a virtually unlimited database

Google SafeBrowsing – Check for malicious activity

Webutation – Reputation check

RBL Blacklist – Check with over 25 private blacklists

RBLS Blacklist – Check with over 15 private blacklists

VirusTotal – Check with over 30 different url scanners

 

Latest Exploits:

Emerging Threats – The latest malicous exploits and trends

Malware Analysis Search – A custom google search just for analyst

1337day – database of exploits for security researchers

Intelligent Exploit – joomla, wordpress, and other common software exploits

CXSecurity – latest CVE exploits

Exploit Database – Various exploits, including remote, local, and web categories

CVE Details – Details of CVE exploits

Exploit Search – Search various CVE exploits

OWASP – Exploit algorithms explained and prevention

FILE ANALYSIS

 

Comodo Analysis –  events, mutexes, threads, and more

VirusTotal – Check against 40 different antivirus engines

CWSandbox – Arguably the most specific file analysis

Anubis -Network, file, and registry activities

Bleeping Computer Statups – List of good/bad statup entries

Malwr – Screenshots, process tree, behavioral analysis

Minotaur Analysis – Screenshots, domain information, video analysis

Shellcode 2 Exe – Convert shell to exe

Avast! Online Scan – Scan using avast’s engine

Is This File Safe? – Check if file is blacklisted as malicious

Dr.Web Online Check – Scan using Dr.Web’s engine

VX Vault – Search the file’s MD5 in a top-notch database

Note that the above lists are in order based on how much I find the site useful. Maybe I’ll have enough time to make an application featuring many of these sites’ features. Many of these sites were found by Polonus.

Put these tools to good use,
~!Donovan

ipad2free4u Scam On Twitter

Scam Tweet

Today a guy on twitter that goes by “Dyner Cobb @dynerauiuih8” decided to send me a random bit.ly link.

ipad2free4u Site

Heh, interesting look to the site without javascript. But the thing that got me was the disabled right click. So, lets dig a little deeper. First lets check his profile..

Dyner's Twitter

Lets scan this url with some scanners. Remember to add the referrer just in case.
urlQuery: http://urlquery.net/report.php?id=126118
Zulu: http://zulu.zscaler.com/submission/show/89f35c32401d3700557b1168f836c2be-1344800813
JSunpack: http://jsunpack.jeek.org/?report=6230f73b581143ae6f23c1bc6f3ab5e604f69bc2
Wepawet: http://wepawet.iseclab.org/view.php?hash=9566df1168749dc0f51a45621ac61717&t=1344800877&type=js
Sucuri: http://sitecheck.sucuri.net/results/ipad2free4u.com/newipadforfree0812/

urlQuery shows a document.write iframe, proven guilty in the Sucuri results. Zulu couldn’t recieve a return. Wepawet shows us where the hidden iframe redirects to, and JSunpack gives us all the elements of the site. The “3. Your email address will never be revealed to any third parties.” is 100% phish. The submit form itself is from another site.

Feel free to comment (i have 35+ spam compared to 2 valid comments ;-;)

 

Don’t let this phish trick you,

~!Donovan